Sunday, October 31, 2010

Now that over a week has passed since this Economist article was published, I wanted to cite it and ask if the problem it describes sounds familiar:

Globally, shrinkage [(losses from shoplifting, theft by workers and accounting errors)] cost retailers $107 billion in the year to June. This was 5.6% less than the previous year, but still the equivalent of 1.36% of sales...

When it comes to thwarting thieves, shop-owners are on their own. In most countries the criminal justice system has all but given up trying to punish shoplifters... So retailers install CCTV cameras, attach so-called electronic article surveillance tags to their wares, train their staff to spot thieves and screen workers for criminal records before hiring them. This year retailers spent $26.8 billion, or 0.34% of sales, on preventing theft.

Some dismiss shoplifting simply as a cost of doing business. Yet it can be serious. Some shoplifters work in organised gangs. Some turn violent when interrupted. Some, especially those who are hooked on drugs, are persistent and prolific.

And all impose a cost on honest shoppers. Theft inflates the average family’s annual shopping bill by $186.

How many of us in the cyber world thought we were the only ones "on our own" fighting adversaries?

The critical difference between shrinkage and digital intrusions is that retailers can measure losses because their products all bear price tags. Maybe businesses could help security professionals by putting "labels" on information assets? Even a WAG would help!

Saturday, October 30, 2010

A colleague of mine who runs another Fortune 10 CIRT asked the following question:

Let's say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?

There are two ways to approach this problem, but they will likely converge at some point anyway:

Focus on the assets.

Focus on the threats.

Focus on the assets means identify the most critical assets in your organization. You pay the most attention to them regardless of who you think is causing suspicious or malicious activity that may or may not affect those assets. In other words, whether you believe a mindless malware sample or an advanced threat may be affecting those critical assets, you still devote resources to collection and analysis of activity involving those assets.

Focus on the threats means identifying the most worrisome threats to your organization. You pay the most attention to them regardless of what assets they may target. In other words, whether you see these threats conduct reconnaissance or enterprise-wide exploitation, you still devote resources to collection and analysis of activity involving those threats.

I say these two approaches are likely to converge, because at some point you will see your most critical assets targeted by your most worrisome threats. In fact, you are likely to determine that a threat is the most worrisome precisely because it spends the most time and effort trying to access your critical assets.

I think operationalizing both approaches is tough, because many don't really know what is most important, or how to identify the most worrisome threats. Identifying critical assets is probably easier. If you identify critical assets, and then identify dedicated threats to those assets, you're probably in a position to now deal with both approaches.

You probably notice I've mentioned two of the three components of the risk equation -- assets and threats. I did not mention vulnerabilities yet. Yes, you could decide what assets have the most vulnerabilities and focus on suspicious and malicious activity affecting those assets. A lot of shops do this because it is probably the easiest approach, since identifying and categorizing vulnerabilities is probably easier than doing the same for assets and threats. However, you might waste a lot of time chasing assets which aren't as important as others. Still, this is another approach if you find that you can't make any progress on the asset- or threat-centric approaches.Tweet

Monday, October 25, 2010

FIRST is holding a one-day Technical Colloquium in Herndon, VA on Tue 2 Nov 2010, organized by Jeffrey Palatt from IBM. The event is free and open to FIRST members and their guests, but seating is limited. The program features several good speakers but the interaction among the attendees is often what I like best! As you might expect the content involves detection and response to security incidents.

If you are not a FIRST member but would like to see if I can sponsor you, email taosecurity at gmail dot com by Tuesday evening. Please use "FIRST TC" as the subject of the email. I will do what I can to accommodate requests, but FIRST makes the final decision concerning attendance for non-FIRST members.Tweet

Sunday, October 17, 2010

Recently a colleague asked me for resources for building incident response teams. I promised I would provide a few ideas, so I thought a blog post might be helpful. I figured some of you might want to add comments with links or thoughts.

The CERT.org CSIRT Development site is probably the best place to start. From there you can find free documents, links to classes offered by SEI on building CIRTs, and so on. I don't think you can beat that site!

I don't think the resources at the FIRST site are as helpful, but the process of working toward membership is a great exercise for a new CIRT.

I read Professional Assembly Language (PAL) by Richard Blum because I wanted to become somewhat familiar with assembly language. Books like "Introduction to 80x86 Assembly Language and Computer Architecture" by Richard Detmer or "Introduction to Assembly Language Programming: From 8086 to Pentium Processors" by Sivarama P. Dandamudi seemed too dense and textbook-like to meet my needs. PAL, on the other hand, appeared very practical and focused on getting readers working with assembly language early in the text. As long as you understand the nature of PAL and the author's goals, I think you'll enjoy reading the book as much as I did.

Amazon.com just posted my four star review of Cyber War by Richard Clarke and Robert Knake. From the review:

The jacket for "Cyber War" (CW) says "This is the first book about the war of the future -- cyber war." That's not true, but I would blame the publisher for those words and not the authors. A look back to 1998 reveals books like James Adams' "The Next World War: Computers Are the Weapons & the Front Line Is Everywhere," a book whose title is probably cooler than its contents. (I read it back then but did not review it.) So what's the value of CW? I recommend reading the book if you'd like a Beltway insider's view of government and military information warfare history, combined with a few recommendations that could make a difference. CW is strongest when drawing on the authors' experience with arms control but weakest when trying to advocate technical "solutions."